Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces a new SPIFFE-based signing/verification utility (crypto/spiffe/signer) intended to let callers sign digests using the workload’s X.509 SVID private key and verify signatures and certificate chains against SPIFFE trust bundles.
Changes:
- Added
crypto/spiffe/signerwith signing (Ed25519/ECDSA/RSA), signature verification, and certificate chain-of-trust verification. - Added a
crypto/spiffe/trustanchors/fakeimplementation for tests and consumers needing an in-memory trust bundle. - Simplified a no-op
Watchimplementation intrustanchors/multi.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| crypto/spiffe/trustanchors/multi/multi.go | Simplifies no-op Watch implementation. |
| crypto/spiffe/trustanchors/fake/fake.go | Adds a fake trust anchors implementation backed by an in-memory X.509 bundle. |
| crypto/spiffe/signer/signer.go | Introduces SPIFFE-based signing and verification APIs, including chain-of-trust verification. |
| crypto/spiffe/signer/signer_test.go | Adds comprehensive tests for signing/verification and chain-of-trust scenarios. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
acroca
reviewed
Mar 23, 2026
Introduce crypto/spiffe/signer, which provides cryptographic signing and verification using the workload's X.509 SVID identity and trust bundles. Supports Ed25519, ECDSA, and RSA key types. Signed-off-by: joshvanl <me@joshvanl.dev>
Signed-off-by: joshvanl <me@joshvanl.dev>
the cryptographic signature and not the certificate chain of trust. VerifyCertChainOfTrust now takes a signingTime parameter instead of using leaf.NotAfter as the verification time. This allows callers to verify historical signatures using the timestamp of the event, correctly accepting certificates that were valid at signing time while rejecting expired certificates used for new signatures. Switch ECDSA signing from R|S (IEEE P1363) to ASN.1 DER encoding using SignASN1/VerifyASN1, which is the standard Go/X.509 format. Signed-off-by: joshvanl <me@joshvanl.dev>
JoshVanL
force-pushed
the
crypto-spiffe-signer
branch
from
9d51992 to
a9b3133
Compare
acroca
approved these changes
Mar 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduce crypto/spiffe/signer, which provides cryptographic signing and verification using the workload's X.509 SVID identity and trust bundles. Supports Ed25519, ECDSA, and RSA key types.